Eye On Privacyhttps://www.eyeonprivacy.com
Timely Updates and Analysis on Privacy and Cybersecurity IssuesWed, 22 May 2019 23:13:36 +0000en-UShourly1https://wordpress.org/?v=4.9.10Feds Want New IoT Guidance to Address Security Vulnerabilitieshttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/rz-GrIKK7xs/
https://www.eyeonprivacy.com/2019/05/guidance-address-security-vulnerabilities/#respondWed, 22 May 2019 23:07:48 +0000https://www.eyeonprivacy.com/?p=2246Continue Reading]]>“Internet of Things” devices are listening. And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. I.e., a device connect to the internet that is not a “general purpose computing device.”

This legislation calls on the National Institute of Standards and Technology to take several actions. First is to review how companies can manage IoT cybersecurity risks. The review should be done by September 30, 2019 and cover, at a minimum several key elements. These include identity management and patching. They also include secure development and configuration management. Second, the legislation calls on NIST to recommend minimum information security requirements for managing IoT cybersecurity risks. The deadline under the legislation for this is March 31, 2020. Third, the new legislation calls on NIST to publish guidance relating to sharing security vulnerabilities relating to devices used by the federal government. As part of this is sharing potential fixes to those security vulnerabilities.

Putting it Into Practice: While still in the early stages, if the legislation passes, agencies will eventually be prohibited from acquiring or using devices from any contractor or vendor that does not have appropriate safeguards in place. This will likely impact all companies that make IoT devices. The impact will either be direct, where an organization provides these devices to the federal government. Or, it may be indirect, where an organization may use the NIST standards as a baseline for the security of its devices.

]]>https://www.eyeonprivacy.com/2019/05/guidance-address-security-vulnerabilities/feed/0https://www.eyeonprivacy.com/2019/05/guidance-address-security-vulnerabilities/Ding Dong the CCPA Private Right of Action is (Mostly) Dead!http://feeds.lexblog.com/~r/EyeOnPrivacy/~3/J3SBNV0N3MA/
https://www.eyeonprivacy.com/2019/05/ccpa-sb-561/#respondFri, 17 May 2019 22:35:57 +0000https://www.eyeonprivacy.com/?p=2240Continue Reading]]>Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in the Senate Appropriations Committee during a hearing held yesterday. While the act as originally drafted only provided for Attorney General enforcement (except for one section addressing data security breaches), SB 561 added a private right of action as well as statutory damages for any violation of the act. This amendment clearly would have significantly increased the risks of any failure to comply with CCPA, no matter how small. But remember the words of Miracle Max – “There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.” So while it is possible that another amendment could be introduced at a later date, for now at least, the act will likely remain as drafted with enforcement coming only from the AG’s office, except in data breaches.

Putting it Into Practice: Companies should remain diligent in their compliance efforts—this is not a reason to ratchet down diligence and remediation. It is, however, a welcomed reduction in risk and compliance costs for all businesses subject to the law. <<Collective sigh of relief.>>

]]>https://www.eyeonprivacy.com/2019/05/ccpa-sb-561/feed/0https://www.eyeonprivacy.com/2019/05/ccpa-sb-561/New Jersey Breach Notice Law Expands To Cover Online Account Breacheshttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/oONAJUJBJ7w/
https://www.eyeonprivacy.com/2019/05/new-jersey-online-account-breaches/#respondThu, 16 May 2019 16:44:06 +0000https://www.eyeonprivacy.com/?p=2238Continue Reading]]>New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019.

Should a company find that online account credentials have been breached, it can provide notice to the impacted individuals through an electronic notice or other format that directs the individual to update their password and security question or answer, as well as advising the individual to take other appropriate steps to protect their online accounts. If an email account has been breached, notice must be provided in a form of communication other than by email to the impacted email account.

Putting it Into Practice: Companies should keep in mind that beginning September 1, breaches to online account credentials (username or email address and password) will require notice in New Jersey.

]]>https://www.eyeonprivacy.com/2019/05/new-jersey-online-account-breaches/feed/0https://www.eyeonprivacy.com/2019/05/new-jersey-online-account-breaches/HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpabilityhttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/tXav1nVb5kY/
https://www.eyeonprivacy.com/2019/05/hhs-notice-of-enforcement-discretion/#respondWed, 15 May 2019 15:59:32 +0000https://www.eyeonprivacy.com/?p=2236Continue Reading]]>The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed.

Now, as a result of the Notice, the cumulative annual CMP limit is different depending on the category of violation (and, by extension, the level of culpability of the violator): (1) for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated HIPAA, the total annual limit is now $25,000; (2) for each violation due to reasonable cause and not to willful neglect, the total annual limit is now $100,000 per year; (3) for each violation due to willful neglect that is corrected within 30 days, the total annual limit is now $250,000; and (4) for each violation due to willful neglect that is not corrected within 30 days, the total annual limit remains $1.5 million.

Putting it Into Practice: According to HHS, forty percent (40%) of the cases where HHS has taken enforcement action to date have involved willful neglect that is not corrected, the category for which HHS has retained the $1.5 million annual cumulative CMP limit. While most will focus on the fact that this is a significant number of cases still subject to the maximum penalty of $1.5 million, it is also the case that for over half of cases to date, the maximum penalty level HHS could have imposed per year would have been less had those cases occurred after the Notice. HHS’s changes suggest that covered entities and business associates should do everything they can to ensure that their culpability levels for violations are low. The lower the culpability level of the violator, the lower the maximum penalty HHS will levy.

]]>https://www.eyeonprivacy.com/2019/05/hhs-notice-of-enforcement-discretion/feed/0https://www.eyeonprivacy.com/2019/05/hhs-notice-of-enforcement-discretion/Utah Requires Law Enforcement Search Warrantshttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/KIISQCvxG5I/
https://www.eyeonprivacy.com/2019/05/itah-search-warrant-electronic-records/#respondTue, 14 May 2019 17:19:41 +0000https://www.eyeonprivacy.com/?p=2234Continue Reading]]>Effective this week, law enforcement in Utah will need a search warrant to obtain for certain electronic records. The new state legislation looks to expand privacy protections for content that consumers store online. Generally, the third-party doctrine limits the protection this type of information receives under Fourth Amendment protections against unreasonable searches and seizures. The rationale being that individuals have already voluntarily disclosed this information to the service provider and, thus, have no reasonable expectation of privacy in that information. This new law seeks to chip away at the third-party doctrine, as consumers are putting more and more of their personal information online in the hands of service providers with the expectation that the information to stay private. What this means in practice is that state and local law enforcement in Utah will need to meet a greater burden of proof to access this content. If you are a service provider, you may want to take another look at any legal process you receive from Utah law enforcement. The legislation does leave several exceptions to the new warrant requirement, including the ability for providers to voluntarily release information to law enforcement in certain circumstances and to allow for subpoena requests from law enforcement for a “subscriber record.”

Putting it Into practice: ISPs and those who receive requests from law enforcement for electronic records should keep in mind the new restrictions under this Utah law.

]]>https://www.eyeonprivacy.com/2019/05/itah-search-warrant-electronic-records/feed/0https://www.eyeonprivacy.com/2019/05/itah-search-warrant-electronic-records/HHS Announces First HIPAA Breach Settlement of 2019; 300,000 Patients Affectedhttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/H_5i-6JPESM/
https://www.eyeonprivacy.com/2019/05/hhs-first-hipaa-breach-2019/#respondMon, 13 May 2019 18:00:07 +0000https://www.eyeonprivacy.com/?p=2231Continue Reading]]>On May 6, 2019, the U.S. Department of Health and Human Services announced that Touchstone Medical Imaging will pay $3 million to settle potential HIPAA violations associated with a breach that exposed more than 300,000 patients’ Protected Health Information. The breach occurred in May 2014. One of Touchstone’s servers allowed uncontrolled access to patients’ PHI. As a result, Touchstone patients’ PHI was visible on the Internet. During its investigation, HHS determined that Touchstone did not thoroughly investigate the breach until several months after it was informed of the breach by law enforcement. HHS also found that the company did not conduct an accurate analysis of potential risks to the confidentiality of its PHI and did not have business associate agreements in place with its vendors.

Putting it Into Practice: This case is a reminder for entities to swiftly respond to suspected and known security incidents and to ensure that appropriate steps are taken to prevent such incidents from occurring in the first place. Steps include performing risk analyses and adopting business associate agreements with vendors.

]]>https://www.eyeonprivacy.com/2019/05/hhs-first-hipaa-breach-2019/feed/0https://www.eyeonprivacy.com/2019/05/hhs-first-hipaa-breach-2019/North Dakota Data Misuse Law Amendedhttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/kVOcynuF5rw/
https://www.eyeonprivacy.com/2019/05/north-dakota-data-misuse-law-amended/#respondFri, 10 May 2019 18:56:42 +0000https://www.eyeonprivacy.com/?p=2229Continue Reading]]>North Dakota criminal law currently contains penalties for misusing the personal information of another. That law has been expanded, and beginning August 1, 2019, it is a class B felony to use a skimmer or scanning device to try get information from a payment card, credit card, or state ID without the permission of the authorized card holder. Also changing August 1 are more elements in the definition of personal information. Namely, payment card information, biometric data, and other “numbers, documents or information that can be used to access another person’s financial records.” Existing elements in the law included social security numbers, employee ID, mother’s maiden name, and the like.

Putting it Into Practice: This amendment is a reminder that states have a variety of laws in place aimed at protecting individuals from the misuse of their personal information. These laws are constantly being re-examined, and the definition of personal information is ever-expanding.

]]>https://www.eyeonprivacy.com/2019/05/north-dakota-data-misuse-law-amended/feed/0https://www.eyeonprivacy.com/2019/05/north-dakota-data-misuse-law-amended/Washington’s Breach Law Amended, Effective March 2020http://feeds.lexblog.com/~r/EyeOnPrivacy/~3/HaRLqFGXVjo/
https://www.eyeonprivacy.com/2019/05/washingtons-breach-law-amended-effective-march-2020/#respondThu, 09 May 2019 18:10:51 +0000https://www.eyeonprivacy.com/?p=2226Continue Reading]]>Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) with this element in its law. Also included are name and student and military ID number, passport number; name and health insurance numbers or medical information; and name and biometric information. Also included in the definition of personal information are now login credentials.

In addition to expanding the definition of personal information, the law will also require notification to impacted individuals and the attorney general (if move than 500 residents have been impacted) by 30 days, rather than the current 45. When providing notice, companies will also need to explain the “time frame of exposure,” in addition to existing content requirements (like the types of information impacted).

Putting it Into Practice: Companies will have time before the Washington amendment goes into effect, but should keep in mind that beginning next year the scope of personal information has been broadened in Washington, and that the time frame for notification will be shortened to 30 days.

]]>https://www.eyeonprivacy.com/2019/05/washingtons-breach-law-amended-effective-march-2020/feed/0https://www.eyeonprivacy.com/2019/05/washingtons-breach-law-amended-effective-march-2020/CFTC Allows Certain Dealers and Merchants to Avoid Annual Privacy Noticehttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/xaFz8pyW7Dg/
https://www.eyeonprivacy.com/2019/05/cftc-glb-privacy-notice/#respondWed, 08 May 2019 18:26:37 +0000https://www.eyeonprivacy.com/?p=2224Continue Reading]]>Beginning May 28, 2019 certain dealers and merchants will be able to avoid sending out an annual privacy notice, under a revision the Commodity Futures Trading Commission has made to its GLB privacy regulations. Under GLB, financial institutions must send customers annual privacy notices. The law applies to futures commission merchants, commodities trading advisors, commodity pool operators, and introducing brokers through regulations enforced by the CFTC. The CFTC, unlike other regulators that enforce GLB, had not prior to this amendment permitted regulated entities to avoid an annual notice. Other regulators had done so, pursuant to a 2015 amendment to GLB, in certain proscribed circumstances.

Now, as with other regulators, the CFTC will allow covered entities to avoid sending an annual notice provided that the covered entities share nonpublic personal information only in limited circumstances and have not changed their privacy practices since the last-sent privacy notice. The circumstances in which a covered entity can share nonpublic personal information and still avoid sending an annual notice include sharing with a third party to perform services for the covered entity, to perform a transaction that a consumer authorizes, or with the consumer’s consent.

Putting it Into Practice: Entities regulated by the CFTC will now enjoy the same exception to the annual notice requirement as other financial services firms. Companies who are thinking about whether or not the exception applies should examine their sharing practices, as well as understand whether any practices have changed since the last-sent notice.

]]>https://www.eyeonprivacy.com/2019/05/cftc-glb-privacy-notice/feed/0https://www.eyeonprivacy.com/2019/05/cftc-glb-privacy-notice/EDPB Seeks Comment On Online Services Guidancehttp://feeds.lexblog.com/~r/EyeOnPrivacy/~3/7gOVSWVP8cY/
https://www.eyeonprivacy.com/2019/04/edpb-online-services-guidance/#respondTue, 23 Apr 2019 17:33:42 +0000https://www.eyeonprivacy.com/?p=2220Continue Reading]]>The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.

In the proposed guidance, the EDPB points out that just because a particular use of information is outlined in a contract, this does not make such use “necessary.” Instead, the EDPB looks to the purpose of processing and the context of the contractual relationship. If there are less intrusive ways to process information, then the use is, according to the EDPB, not “necessary.” The EDPB provides examples, including where a user purchases something from an eRetail company by credit card, to be delivered to the user’s home. In this situation processing both the credit card number and getting the home address is “necessary.” But, if the person wanted to pick the product up, then gathering the home address would not be “necessary.” Expanding on the example, if this same eRetailer wants to create a profile of the user’s “tastes and lifestyle choices” it will need to rely on a legal basis outside of the contractual one, according to the guidance. Similarly, using information to understand usage of an online platform would not be use “necessary to perform a contract,” and instead would fall under an alternate legal basis, like (according to the EDPB) legitimate interest or consent.

Putting It Into Practice: Those interested can provide comments by 24 May to EDPV@edpb.europa.eu (comments will be published on the EDPB website). In the meantime, the proposal provides a useful overview of what the EDPB considers processing that is “necessary” for the performance of a contract, and when a company would need to rely on another legal basis.